1. Field of the Invention
Methods and apparatuses consistent with the present invention relate to managing communication security in a wireless network, and more particularly, to allowing an external station to temporarily associate in a wireless network while maintaining communication security in the wireless network.
2. Description of the Related Art
With the development of communication and network technologies, the home network environment has recently been evolving from a wired network environment using a wired medium such as a coaxial cable or an optical fiber into a wireless network environment using radio signals in various frequency bands.
Unlike a wired network, a data transmission path is not physically fixed. Therefore, communication security is more vulnerable to security breaches in the wireless network than the wired network. Accordingly, to accomplish secure wireless communication, most wireless communication protocols support encryption of transmitted data packets. To support the encryption, Wi-Fi Protected Access (WPA) for a wireless local area network (LAN) or Wired Equivalent Privacy (WEP) is used.
WPA relates to wireless local area network (LAN) authentication and encryption, which was proposed by the Wi-Fi Alliance while the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard was being prepared. WPA also supports authentication in an ad-hoc network using an authentication scheme based on a pre-shared key (PSK: hereinafter, referred to as an initial key). In WPA, the Temporal Key Integrity Protocol (TKIP) is used as an encryption technique to provide data confidentiality. To enhance integrity and security in WPA, a message integrity check field is included in a transmission frame.
A process for setting a pairwise transient key (PTK: hereinafter, referred to as a security key) in a WPA-PSK mode using an initial key will be described with reference to FIG. 1.
FIG. 1 is a schematic flow diagram illustrating a conventional process of establishing a security key in a WPA-PSK mode.
In the WPA-PSK mode, an access point and a station which create a wireless network share the initial key. The initial key is used to generate a security key for secure communication between the access point and the station. In the WPA-PSK mode, a PSK key generation process is implemented by a four-way handshake process between an access point and a station.
In operation S110, the access point and the station are subjected to predetermined authentication and connection. For such authentication and connection, an open authentication procedure defined in the IEEE 802.11 standard may be used. Through the authentication and connection, the access point and the station acquire each other's medium access control (MAC) addresses, which are used to generate the security key. In the conventional process in the WPA-PSK mode, a PSK key is generated by a four-way handshake process between an access point and a station.
Upon completion of the authentication and connection, the access point generates a first random number in operation S115 and the station generates a second random number in operation S120. A random number is a sequence of digits or characters with randomness.
The access point sends a first message including the first random number to the station in operation S125.
Upon receiving the first message from the access point, the station generates a security key using the first random number, the second random number, the access point's MAC address, the station's MAC address, and the initial key and computes a message integrity check (MIC) using the security key in operation S130.
Thereafter, the station sends a second message including the second random number and the MIC to the access point in operation S135.
Upon receiving the second message from the station, the access point generates a security key using the first random number, the second random number, the access point's MAC address, the station's MAC address, and the initial key and computes an MIC using the security key in operation S140.
Here, the access point can determine whether the station has the same security key as it has by comparing its MIC with the MIC received through the second message. When it is determined that the MIC computed by the access point is not the same as that received from the station, an MIC error occurs.
In this case, the access point interrupts communication with the station. However, when an MIC error does not occur, the access point sends a third message including its MIC and a receive sequence counter to the station in operation S145.
Upon receiving the third message from the access point, the station computes an MIC using its security key. When it is determined that the MIC received from the access point is the same as that computed by the station, the station sets the security key generated in operation S130 to secure the communication with the access point in operation S150.
Thereafter, the station sends a fourth message requesting the access point to set the security key in operation S155.
Upon receiving the fourth message from the station, the access point sets the security key that it has generated to secure the communication with the station in operation S160.
In such a way, each station in a wireless network can generate a security key shared with an access point. Since each station generates a security key using different parameters (for example, a random number and each station's MAC address), each station sets a security key that is known only to itself and the access point.
Once the security key is set, the access point and the station can encrypt data to be transmitted therebetween using the security key and can decrypt the encrypted data received from each other using the security key.
As described above, to generate a security key in the WPA-PSK mode, an initial key is needed and an external station that does not have the same initial key as the access point cannot generate the same security key as the access point. Accordingly, in the WPA-PSK mode, an external station is prevented from accessing to a wireless network without permission.
In this situation, the initial key should be protected so as not to be revealed outside the wireless network. In other words, when the initial key is revealed to an external station, a wireless network manager needs to set a new initial key in all network apparatus (i.e., the access point and the stations) in the wireless network.
Such conventional technology is inconvenient for a wireless network manager managing a wireless network when it is necessary to permit an external station to temporarily associate in the wireless network.
For example, in the conventional technology, to permit an external station possessed by a visitor to temporarily associate in a home network, the network manager allows the external station to share an initial key used in the home network.
In other words, the external station stores the initial key used in the home network. Accordingly, even after stopping associating in communication with the home network (for example, when the visitor having the external station stops visit), the external station can share a security key with an access point of the home network through the process illustrated in FIG. 1. In this case, the external station can freely associate in the home network without the network manager's permission. To prevent ungranted association, the network manager must change the initial key in the access point and all stations in the home network once the initial key is revealed to the external station. 27
However, it is inconvenient for the network manager to change the initial key in the access point and all stations in the home network. In particular, such inconvenience becomes more serious in a wireless network under an environment in which temporal association of an external station frequently occurs or in a wireless network in which a large number of access points and stations associate in communication.